Malware Analysis Report

2024-09-11 12:23

Sample ID 240612-w5f7zayfkm
Target 2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid
SHA256 d85919c56db5440117377001f48c115408c4251358caa2ed1d4b2f775bb0dbb9
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d85919c56db5440117377001f48c115408c4251358caa2ed1d4b2f775bb0dbb9

Threat Level: Known bad

The file 2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

UPX packed file

Windows security modification

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:30

Reported

2024-06-12 18:32

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\taskhost.exe
PID 2072 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\Dwm.exe
PID 2072 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe"

Network

N/A

Files

memory/2072-0-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2072-1-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-5-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-8-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-11-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-12-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-7-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-10-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-9-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-6-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-28-0x0000000004050000-0x0000000004052000-memory.dmp

memory/2072-29-0x0000000004050000-0x0000000004052000-memory.dmp

memory/2072-27-0x00000000041B0000-0x00000000041B1000-memory.dmp

memory/2072-13-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-25-0x00000000041B0000-0x00000000041B1000-memory.dmp

memory/2072-24-0x0000000004050000-0x0000000004052000-memory.dmp

memory/1056-15-0x0000000001C60000-0x0000000001C62000-memory.dmp

memory/2072-14-0x00000000020E0000-0x000000000316E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\settings.ini

MD5 eee0a87d02a9a0d2fed770a27ec1669c
SHA1 faf86fd862da5ffefc31d14318aa06f43b5f3136
SHA256 b9046cae7ec843a7d7fbcdb33523a835dfa3015718d1c7a6aa5803b0892c25d8
SHA512 050b73d600fc69b4e14d1cb68c7a928065cd96c3dfb73e11a637d44fb1143bb75dd220a31a975aaa61331019a523204b6097af7d405a287dca0a965b415049f4

memory/2072-41-0x00000000020E0000-0x000000000316E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\settings.ini

MD5 ad499c0a7b7f87a96fd861553af2e447
SHA1 aa5fbdbc0f5d382472ac5fb8de3aecc58eb38f7e
SHA256 e03f6e09760147c24646e55bfb3b4ad38258e256ad2cfcb85ec9c1df0d9387d1
SHA512 4fecf828a9a02b0d372e79d4c210da599f42b95fce8f632bdf3f94f92b6626778e73e8a183703d90193365a355e74b6525f2004c67299bec10e31027a502097b

C:\Users\Admin\AppData\Local\Temp\settings.ini

MD5 05b6cfdfcafca196d6afbf13370cdcc3
SHA1 e75447fc79ca53ecca7b2a08cf62a2b4f39a4fff
SHA256 3e9d7dee3dffe35dcf5a5fde5ad23ba46754655a241cf01e2fd364ae677ea7b0
SHA512 6be6759a8c7e102a14f18b0682b55a86104ca84c7a176f9405a51bb050a731b3cd9cf1a3d87b6726ddc6cee46e6eed0215f6285c7055075246bc3202a23c4821

memory/2072-64-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-65-0x00000000020E0000-0x000000000316E000-memory.dmp

memory/2072-69-0x0000000004050000-0x0000000004052000-memory.dmp

memory/2072-82-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2072-68-0x00000000020E0000-0x000000000316E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:30

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\fontdrvhost.exe
PID 1688 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\fontdrvhost.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\dwm.exe
PID 1688 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\sihost.exe
PID 1688 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\taskhostw.exe
PID 1688 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\DllHost.exe
PID 1688 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1688 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1688 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1688 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1688 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1688 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\fontdrvhost.exe
PID 1688 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\fontdrvhost.exe
PID 1688 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\dwm.exe
PID 1688 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\sihost.exe
PID 1688 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\taskhostw.exe
PID 1688 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\Explorer.EXE
PID 1688 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\svchost.exe
PID 1688 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\DllHost.exe
PID 1688 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1688 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1688 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1688 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1688 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe
PID 1688 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_334e0947fd27dd85ae2c0b71792a6ab3_icedid.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.216:443 www.bing.com tcp
US 8.8.8.8:53 216.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1688-0-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1688-1-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-3-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-6-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-27-0x00000000048E0000-0x00000000048E2000-memory.dmp

memory/1688-28-0x00000000048E0000-0x00000000048E2000-memory.dmp

memory/1688-11-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-23-0x00000000024D0000-0x000000000355E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\settings.ini

MD5 94f640e5f851040345a6009dda8c9cb6
SHA1 d2b57044fde36a1bbcd7c3f2a404a2c8661f491c
SHA256 bce2a034cf663374ab2e06a03f06fa836e01da44a15e5c254f1a8f09a8afdb06
SHA512 817d63ace3c51d6778f4218651fb541fe623409fdf96f93dd8102adf888f30f4de142800e84444d2a96e40941251898ee1df0ffb8400771b44b7672a32f32d2e

C:\Users\Admin\AppData\Local\Temp\settings.ini

MD5 05b6cfdfcafca196d6afbf13370cdcc3
SHA1 e75447fc79ca53ecca7b2a08cf62a2b4f39a4fff
SHA256 3e9d7dee3dffe35dcf5a5fde5ad23ba46754655a241cf01e2fd364ae677ea7b0
SHA512 6be6759a8c7e102a14f18b0682b55a86104ca84c7a176f9405a51bb050a731b3cd9cf1a3d87b6726ddc6cee46e6eed0215f6285c7055075246bc3202a23c4821

memory/1688-8-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-7-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-5-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-25-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/1688-24-0x00000000048E0000-0x00000000048E2000-memory.dmp

memory/1688-26-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-51-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-52-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-53-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-54-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-55-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-57-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-58-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-60-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-61-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-62-0x00000000024D0000-0x000000000355E000-memory.dmp

memory/1688-72-0x00000000048E0000-0x00000000048E2000-memory.dmp

memory/1688-82-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1688-83-0x00000000024D0000-0x000000000355E000-memory.dmp